Mon, 20 Dec 2004
Short Term Sabbatical
This year has been a pretty rough one for me, too many good people gone
forever with nary a replacement in sight, the proving of "no news is
good news" (one more "are you sitting down" phone call and I'm either
gonna go boom or crack) and lots of crap rained down from above. In
response to life taking a firm hold of my dangly bits I've decided to
take the next eleven days out and then start afresh from January (I know
it's only a symbolic date) with a clear head, a lot more enthusiasm and a
lighter tone.
In the mean time my site / blog / email / apps should all be considered suspended while I get some things in order. I'll hopefully be back in the New Year with a lot more tech to post and code to share.
Have a Merry Christmas, a Happy New Year and thanks for reading
Unixdaemon.net
Dean Wilson -- Site Owner and Tech Rambler
Like this post? - Digg Me! | Add to del.icio.us! | reddit this!
Posted: 2004/12/20 20:41 | /meta | Permanent link to this entry | This entry and same date
Sat, 18 Dec 2004
Proprietary or Custom Search Engines -- Don't!
One of the things that irks me about many of the sites I visit is the
steaming pile of shite they call searching. Between the missing entries,
the irrelevant articles and, this is my killer, only actually using one
of the search words provided I cant see why people even bother to put the
entry box on the site when you can get far superior results from
Google.
Now before I get accused of being a hypocrite I'd like to point out that the Unixdaemon.net search box is actually provided by, and uses, Google so the results, while not always bang up-to-date are typically useful and honour the actual search you enter.
If you have your own site PLEASE don't try and write your own search engine from scratch unless you have a fair amount of practical and proven knowledge of how to do it. If the site does have a sucky search engine there are a couple of ways to use Google to your searching advantage, but thats best saved for another post.
Like this post? - Digg Me! | Add to del.icio.us! | reddit this!
Posted: 2004/12/18 21:33 | /tools/online | Permanent link to this entry | This entry and same date
IE Blog -- Off the Reading List
I've got a page of Internet Explorer Plugins on
Unixdaemon.net, while none of them are complex they do seem to be both
useful and quite popular (over 30,000 downloads in the last five months...
not too bad :)) and so I have a fair amount of interest in IE despite being a very happy FireFox
user.
Now Microsoft have decided to make themselves more open and transparent, and part of this includes something called the IE Blog, a site I subscribed to about a day after it started. In my view IE is an area of MS that I'd expect to have a fair bit of activity, it's used by a high percentage of the 'net, FireFox and Mozilla are beating at its door and, lets be honest, it's an excellent example of how to not do secure coding. From phishing attacks, broken code separation and huge numbers of vulnerable automation interfaces this is hardly a stable, mature and boring project; although that's the impression you get from reading the IE blog.
For a description of what they were willing to talk about have a look at the What we talk about on IEBlog posting (coincidently written by a guy named Dean) and then have a browse through the archives. See if you can find any more than one thing per month that's actually worth reading and not just faff. While most of the MS blogs are excellent and help promote the company this one is a good example of how not to run a corporate blog; it feels too clean, sanitised and well, dead. One less feed for me to read.
Like this post? - Digg Me! | Add to del.icio.us! | reddit this!
Posted: 2004/12/18 21:23 | /tools/gui | Permanent link to this entry | This entry and same date
Cubicles, Desks and Cabling: Natural Enemies
As a sysadmin a (hopefully) small chunk of my time is taken up laying
cables and physically adding machines to the network (a desktop support
person, my kingdom for a desktop support person!), while this shouldn't be
too hard most modern offices seem purpose built to drive me insane.
Firstly we have the two patch ports and four plugs for six people. This forces you to invest in four / six way extension leads and a switch under each row of desks; as an aside a switch for each person with a laptop or more than one machine is a nice thing to have.
Then we have the cubicles and desks that fit together perfectly. And leave no space to actually run anything useful like telephone, monitor, keyboard or mouse cables. This seems to be a symptom of cheap desks but it's annoying as hell. If the desk doesn't have a whole large enough to slide a plug through (it's always easier to drop a plug down than it is to pull a cable up) then don't buy it. In the long run your staff will thank you.
When it comes to offices Joels Bionic Office is an excellent example, not only for the private offices (please yes!) but for the switches on each desk, the ceiling mounted cable runs (under floor cabling is a whole separate rant...) and the DESK HEIGHT power outlets.
If you come away from this post with one thing please let it be that power and networking should be AT DESK HEIGHT and not tucked away behind the actual furniture, staff and badly cleaned carpet. Please!
Like this post? - Digg Me! | Add to del.icio.us! | reddit this!
Posted: 2004/12/18 21:06 | /nottech | Permanent link to this entry | This entry and same date
Blunkett Quits Before Being Fired(?)
Today we have some good news, David Blunkett
has quit after his dirty washing was dragged around in public. Normally
I'd keep anything political away from this site but this is noteworthy as
he's the man who's been pushing ID cards.
I'm all for good security, which is one of the reasons I'm against ID cards. They add cost to the system, complexity to the people forced to use them and don't actually provide any benefits. The only people that care about not having the cards at the innocent ones, the "terrorists", muggers and other assorted criminals ain't exactly going to be stopped with this "I was going to commit a burglary... Damn I forgot my ID card again best leave the house alone.". Yeah right.
Like this post? - Digg Me! | Add to del.icio.us! | reddit this!
Posted: 2004/12/18 20:54 | /nottech | Permanent link to this entry | This entry and same date
Thu, 16 Dec 2004
Trust Me or Sack Me.
One of my more infamous quotes at work is "trust me or sack me." This is
the shorter, pithier version of one of my stronger views, you should never
hire people you don't trust or have faith in. When you take on a new
employee you are investing a lot of money and effort, both in initial
outlay and over a period of time. If you don't fully believe your hiring
choice is the correct one then don't make it. Otherwise you'll be second
guessing yourself, the employee will pick up on it and the rest of the team
might not be too happy.
Now on to the more controversial part, if you've hired someone then give them the benefit of the doubt and let them do their job. There is an expression I'm quite fond of, "I don't keep a dog and bark myself.", if you find yourself second guessing, arguing or overriding your staffs viewpoints a lot then you need to either take a step back or seriously look at whether the employee has a future in your company because one way or another you do have a problem.
Like this post? - Digg Me! | Add to del.icio.us! | reddit this!
Posted: 2004/12/16 10:45 | /nottech | Permanent link to this entry | This entry and same date
Wed, 15 Dec 2004
MS Network Access Protection (NAP) -- Paranoid Visions
TheRegister has an informative, and pretty short, article on MS NAP, a technology that should help keep
networks clear of worm activity by requiring all machines to have
up-to-date patching and anti-virus before the network equipment will let
them play with others.
Now lets gloss over the more obvious question, how do you get a machine on the network for the first time, as it's simple, the kind of company that actually needs this will have a patch management system in place for new builds (maybe just something like MS SUS) to bootstrap the process. The real questions to ask are, will any anti-virus software except MS Anti-virus (or what ever they call it by then) actually work with this? And more importantly will it be easy to turn this feature off so we can add *Nix boxes to the network?
Like this post? - Digg Me! | Add to del.icio.us! | reddit this!
Posted: 2004/12/15 00:39 | /security | Permanent link to this entry | This entry and same date
Not The Doom Movie.
I've done my time in the first person trenches, from Single player
Wolfenstein, all the way to Halflife and its expansion packs along with a
diversion into multi-player Jedi Knight 2 (If you played online I probably
kicked your arse :)) and the early Doom games hold a warm place in my
nostalgia but lets face it, a Doom movie was always going to be bad.
The script writer, David Callahan, has made a couple of comments online, the full Doom Screenwriters open letter is available but I quite like the Penny Arcade Doom Movie Strip which summarises the article quite nicely.
Now lets take my favourite two comments out of context:
1: Because let's be honest here: as far as a completely immersive and
cinematic experience, we were never going to top Doom 3 anyway, and we all
knew that.
2: I don't enjoy watching a bunch of strangers bastardize my baby any more than you do, but really none of us can do anything about it at this point,
It might just be my interpretation but that makes two things spring to mind, firstly the games a better investment and secondly that it'll be shite and he knows it. Oh well, considering all the changes they've made it's not like it's actually Doom the movie after all. Final thoughts? Please don't watch it, let the thing flop.
Like this post? - Digg Me! | Add to del.icio.us! | reddit this!
Posted: 2004/12/15 00:12 | /geekstuff | Permanent link to this entry | This entry and same date
Mon, 13 Dec 2004
Be Nice to your Manager
Because if you have a good one you won't realise how good they are until
you get a complete doozy. A while ago i had the luck to work for a very
insightful manager, lets call him Mike (his parents did). It took him about an hour to figure
me out and from then on he played me masterfully, always the right amount
of trust to ensure i was confident about my work but with enough challenge
to both make me think about what i was doing and push me into giving more
than the pay rate warranted. At the time i never even considered myself
managed, thats how good he was.
I only made a single mistake while working at that job, i ran an ls over a deeper directory, answered a question and then without rechecking my location on the system ran a recursive permission change. I went white and made a little choking sound that can't really be described as cute. I'd nuked the permissions on our backup HPUX server.
I expected to be shouted at or dragged off in to a dressing down, instead i got a pleasant surprise (although it wasn't until later i understood it was the best possible thing for a manager to do). "Can you fix whatever you just did?" "Yes, it'll take about half-an-hour." "I'm going for a coffee, we'll talk when i get back." I spent the next half an hour working with our QA guy as my spotter and put the settings back based upon the live box. Forty five minutes later my boss came back and asked if all was well. I sheepishly nodded yes and the only mention of the fact I'd screwed up was: "You know what you did. Learn and see it doesn't happen again." That was pretty much three years ago and i've never failed to double check my location again.
A big mistake or failure needs to be acknowledged, looked at and learned from. The important part is how the issue is dealt with, if you spend an hour having the same thing gone over and over all that the employee brings away from the meeting is a destroyed morale, diminished confidence in both their own ability and the managers trust in them. Be a smart manager, know what needs to be said and what doesn't; if the worker is a professional he'll be beating himself up about it.
As for me, next time i get an understanding manager like Eric Sink or Mike I'll be a little nicer, a lot more appreciative and a bit slower running chmod.
Like this post? - Digg Me! | Add to del.icio.us! | reddit this!
Posted: 2004/12/13 23:12 | /career | Permanent link to this entry | This entry and same date
This is a Local Service for Local People...
In a previous post about
blacklisting IP ranges used by China I stated why I feel it's a valid
approach. I think I should clarify my own actions when it comes to things
like this.
Any servers that are owned and admined by me alone (Bytemark Virtual machines, friends servers etc) have a number of deny rules in place to drop connections to a number of important ports (SSH, SSL etc) to reduce the attack vectors provided by the servers. These rules block connections from any IP addresses no in the UK, Brussels and a couple of other countries, if I'm going to a tech conference I'll open the range slightly to allow remote access but I'll turn on stupid amounts of login for the duration of the trip.
For work machines the rules have to be a little different, most companies fit into one of two categories, those that have geographically dispersed teams and those that don't. It's worth noting that for the purpose of this post I'm only discussing admin and other important services, SSH, SSL to certain servers etc, not web and email traffic. For those I do layer 7 filtering.
The only real difference between the two is how many allow rules you have to add. It should not be possible for Joe Random Stranger in the land of the script kiddies to even probe those services unless they are located in the same country as your admins. By adding simple, logical rules like these you reduce your exposure dramatically and increase your networks security at pretty much no loss of functionality.
Like this post? - Digg Me! | Add to del.icio.us! | reddit this!
Posted: 2004/12/13 20:19 | /security | Permanent link to this entry | This entry and same date
One Writer, Multiple Readers
Heres my feature request for Gmail, a service I'm mostly happy
with.
It'd be nice if you could set up read only access to your inbox, or even designated 'labels' that you could limit by either assigning a password or allowing full (read) access to everyone.
I pipe quite a few mailing lists into my GMail account and I'd like the ability to give certain people read access to anything labled as security. RedHat Cluster or any other label I choose to set; but without the risk of them deleting things.
This would allow both easy book-marking and sharing of links to content you've received by email and allow an easy way to do small, semi-private, but multiple participant mailing-lists.
Like this post? - Digg Me! | Add to del.icio.us! | reddit this!
Posted: 2004/12/13 20:07 | /tools/online | Permanent link to this entry | This entry and same date
Blocking IP Addresses, Nation By Nation
Quite soon the Chinese government won't have to try to censor the
net. The western world will just filter off all the traffic coming from
China, doing the job much more efficiently.
The above quote came from a Slashdot article on China and its Relation With Spam. I don't normally read the comments on Slashdot articles but I had a hunch some of the posts to this one would be quite extreme; SPAM is one thing that drives most geeks nuts.
The thing that surprised me the most if that there seems to be two main camps. People who run networks and who block and refuse to accept connections from China, Korea and similar dens of useless computer laws and the people that claim this is a violation of rights / free speech etc. To the people in this second group I have one thing to say. Bollocks.
I can block who I want on my servers and as long as I mention it nice and clearly to my users I can block these ranges for them too. If you don't like it, then tough. Let the local legitimate users lobby for changes to the law, tidy up their own act and then, after this has been done, I'll let them talk to my networks again. In the mean time I hope you enjoy the "Connection Refused" messages.
Like this post? - Digg Me! | Add to del.icio.us! | reddit this!
Posted: 2004/12/13 20:00 | /geekstuff | Permanent link to this entry | This entry and same date
Sun, 12 Dec 2004
VMWare 5 Beta Reveals New Features
Firstly I need to try and get on to the VMWare beta program instead of only
reading about the neat new changes from articles like Flexbetas Inside VMWare Workstation 5.0
Beta. Secondly I'd like to get my hands on this release for two main
reasons, firstly the ability to stop and start groups of machines at once
would make testing certain sets of machines (webserver and database server
used by it for storage) a lot nicer.
The second one is less immediate, I'm a big fan of Jon Udells ScreenCasting and VMWare now provide the ability to record an AVI of the guest machine and I'd like to get a feel for the quality and the size of th movies produced.
Like this post? - Digg Me! | Add to del.icio.us! | reddit this!
Posted: 2004/12/12 12:34 | /tools/gui | Permanent link to this entry | This entry and same date
Sun, 05 Dec 2004
Gigabit Ethernet? Bah! I need REAL speed!
Although it actually sounds pretty fast, when you actually start
benchmarking it, Gigabit Ethernet isn't quite as good a solution as you'd
think. As more and more commercial deployments move to using SANs and NAS
for online storage and backups it's increasingly easy to saturate existing
LANs.
One possible solution as people start to look at 10 and 100Gbps networks is FireEngine (PDF), a set of architecture changes and improvements for Solaris 10. The white-paper linked to above provides a nice overview on what they've changed and some estimated (almost all benchmarks are lies ;)) performance improvements; all I need now are a couple of 10Gbps NICs!
Like this post? - Digg Me! | Add to del.icio.us! | reddit this!
Posted: 2004/12/05 16:13 | /operatingsystems/solaris | Permanent link to this entry | This entry and same date
The Devils in the Details
From an article called
Faster Python grabs programmers:
The new version of Python includes a new module that allows system
administrators to use small Python programs instead of shell scripts, said
Michael McLay, a consultant who is the resident Python expert for the
nonprofit Center of Open Source and Government. Shell scripts, written to
execute routine system administration tasks, have more security
vulnerabilities and offer less feedback when errors occur, McLay
said.
I'm pretty familiar with dynamic scripting languages and even I had to scratch my head at that one. My assumption (probably wrong) is that the new Python has some kind of compiling module included but in order to even make that leap you have to have enough experience with non-techs writing tech articles to understand what *they* think the difference between a program and a shell script is. If they assume you have enough knowledge to find the difference then why not spend another sentence and actually tell you some of the 'how' and not just the 'what'. I'm not a supporter of dumbing down news and reporting but a little but can we have some useful context please!
While I can understand not wanting to bog down the average reader in technical details it'd be nice if they provided enough information to aid in a Google search...
Like this post? - Digg Me! | Add to del.icio.us! | reddit this!
Posted: 2004/12/05 16:13 | /geekstuff | Permanent link to this entry | This entry and same date
PDFs, Word Docs and Linking to Web Unfriendly File-formats
I'm not a big fan of unmarked links pointing to resources that require an
external viewer. The worst of these formats, such as PDFs or the Microsoft
Office formats, cause the browser to pretty much halt for a couple of
seconds while the viewer is loaded and then change the behaviour of the UI
(if you are viewing a PDF in FireFox for example, Ctrl-W will not close
that tab) in a way that seems designed to annoy people who know how to use
the keyboard.
Fortunately there is now an extension, called TargetAlert, for FireFox and Mozilla users that changes the HTML when it receives a page load event and adds icons to highlight links like these.
It's also worth noting that you can customise (the default types) and toggle if they should display the icons or not.
Like this post? - Digg Me! | Add to del.icio.us! | reddit this!
Posted: 2004/12/05 16:13 | /tools/firefox | Permanent link to this entry | This entry and same date
Wed, 01 Dec 2004
Google Talk -- London
Google recently held a short talk in London (they are recruiting for their
'new' Dublin office) that covered a couple of interesting topics such as
redundancy using commodity technology (LOTS of cheap machines with the same
data), how to create rolling brown outs (rooms packed full of 80 1U servers
in every rack seems to do it) and how to horizontally scale everything to
meet their needs.
The one slide that really caught my attention was mostly flippant but makes an important point about the kind of traffic they are dealing with:
- 1000 queries per second ...
- ... at 2am ...
- ... on December 25th
And the killer reason to work at Google? Each staff member is encouraged to spend 20% of their working time looking at new technology and areas of interest. Imagine being given a day a week to work on things that may, at some remote point in the future, positively impact the company.
Like this post? - Digg Me! | Add to del.icio.us! | reddit this!
Posted: 2004/12/01 16:42 | /events | Permanent link to this entry | This entry and same date
PHP Easter Eggs and Version Disclosure
There has recently been a thread about PHP easter eggs on the webappsec security list. In
essence if you call ANY PHP page with certain parameters custom pages will
be returned.
Here's an example of the PHP Credits Page. It may seem a little petty to complain about such a small thing in a code-base provided for free but there is a more serious aspect to this, the pages returned vary depending on the version of PHP you run so it's possible to use this to determine which version the server is running; even if you've changed the ServerTokens directive to something more restrictive than the default.
While you can disable this using 'expose_php = Off' in your php.ini file, easter eggs in Internet exposed production code annoy the hell out of me.
Like this post? - Digg Me! | Add to del.icio.us! | reddit this!
Posted: 2004/12/01 16:41 | /security | Permanent link to this entry | This entry and same date
apt-dupdate -- Smaller Sources Files
I wasn't going to mention this but I'm on dial-up this week and so dog slow
down-loading has become an issue for me and this tool might be useful for
people in a similar position. The short version is that the
packages/Sources file is quite big, down-loading it each day can actually be
quite a big hit in terms of bandwidth, apt-dupdate plans to get around
this using bzipped diffs rather than re-sending the whole thing. For further
details have a look at the apt-dupdate announcement
Like this post? - Digg Me! | Add to del.icio.us! | reddit this!
Posted: 2004/12/01 16:36 | /operatingsystems/linux | Permanent link to this entry | This entry and same date
Never Negotiate With Yourself
This may seem obvious but the number of people that break this simple rule
never fails to amaze me. Let's look at an example, you are meeting with a
potential hire and you are discussing salary, as an aside if they are good
pay them above the going rate; thats a different post!
You make an offer of 30 thousand a year, the other person doesn't look too impressed. What you should never do (and ignore any uncomfortable silences) is then make another, higher, offer. Suppose you then offer 35 or 40, the candidate may be willing to settle for 32 but you've just lost the difference. You should instead wait until they make a counter offer and base your next move on the new information.
The other useful tidbit (also common sense) concerns negotiating when facing a deadline. Don't do it, the other party will stall and then force you to either make concessions at the end or you'll have to pay in time and money to rearrange you schedule in order to stay in the discussions. Following this logic you should always try and negotiate when you are in a position to out wait the other party.
Like this post? - Digg Me! | Add to del.icio.us! | reddit this!
Posted: 2004/12/01 16:17 | /nottech | Permanent link to this entry | This entry and same date
(More) System (and less) Administration
I started out in IT as a developer working on financial systems using VBA,
after a very short period of trying to do flexible string manipulation I
stumbled on to Perl, Regular Expressions and the Win32::OLE module; I was
hooked. About a year later I had the chance to work at a mostly Perl shop
(at the tail end of the dotcom boom) and I was exposed to Unix systems,
thats when things got interesting for me.
In my last few jobs I've worked as a Systems Administrator rather than a coder (I still write bits and pieces but nothing truly huge anymore) and I have to say I enjoy it, the work is diverse, you get to meet a lot of people (both internal and vendors) and it's often satisfying. So what am I posting about?
In my last few jobs I've noticed a disturbing trend concerning my average daily tasks, a bit of support, some tweaking and tuning and then paperwork. Shit-loads of it. While I've always been involved in licensing, documentation and similar as my experience increases I seem to be moving further and further away from the parts of the job I actually look forward to, solving problems. It's weird to think about how this works, I don't know any systems people that think "I love to fill out forms", it's always been a necessary evil, not the main focus. So where am I going with this? Well by writing it down I've had to think through what's annoying me about it and I have some ideas on how to reduce the paperwork; with automation and technology of course ;)
Like this post? - Digg Me! | Add to del.icio.us! | reddit this!
Posted: 2004/12/01 16:06 | /geekstuff | Permanent link to this entry | This entry and same date
Copyright © 2000-2010 Dean Wilson
